HyperBro

HyperBro is a custom in-memory backdoor used by Threat Group-3390.[1][2][3]

ID: S0398
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 09 July 2019
Last Modified: 23 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

HyperBro has used HTTPS for C2 communications.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

HyperBro has the ability to delete a specified file.[1]

Enterprise T1105 Ingress Tool Transfer

HyperBro has the ability to download additional files.[1]

Enterprise T1106 Native API

HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.[1]

Enterprise T1055 Process Injection

HyperBro can run shellcode it injects into a newly created process.[1]

Enterprise T1113 Screen Capture

HyperBro has the ability to take screenshots.[1]

Enterprise T1007 System Service Discovery

HyperBro can list all services and their configurations.[1]

Enterprise T1569 .002 System Services: Service Execution

HyperBro has the ability to start and stop a specified service.[1]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390

[1][2][3]

References